Well, if someone interested in, i have custom created 'php script' run
by a cron job and scans auth.log and then creates firewall rule if it
detects brute force attacks and/or certain number of incorrect
authentiacations. It clears all rules occasionally. It may scan other
ports as well, such as pop, smtp, ftp.

It is for FreeBSD (server) and may be adopted to NetBSD easily. If
people think it is usefull, i can maintain it...

PS: I also have rules to block certain IP ranges, such as whole Africa
region, Latin America and Asia region... I can give those IPs too.

Regards,
Ingbert Meyer, 10/16/08 12:36:

Volkmar Seifert wrote:

Out of curiosity I'd like to come back to my initial question above:
Does
anybody have experience or further reading about NetBSD firewall and
the
PAM system? Installing the PAM-af package was easy, but it's
obviously not

working. How do I start it? I assume the relevant files are located in
/etc/pam.d/, but I'm reluctant to change the anything without deper
understanding - for fear that my attempt to fix a problem may open a
security hole.

You should be aware that you need to enable the usage of PAM within the
/etc/ssh/sshd_config (UsePAM yes|no). Sadly, the man-pages of SSH in
NetBSD do not mention this.
Here is an excerpt of a SSH-manpage I have from another system:
<snip>
UsePAM

Enables the Pluggable Authentication Module interface. If set to
``yes''
this will enable PAM authentication using
ChallengeResponseAuthentication

and PAM account and session module processing for all authentication
types.

Because PAM challenge-response authentication usually serves an
equivalent

role to password authentication, you should disable either
PasswordAuthentication or ChallengeResponseAuthentication.
If UsePAM is enabled, you will not be able to run sshd(8) as a non-root
user. The default is ``no''.
</snip>
PAM is automatically installed with NetBSD nowadays, so all you -should-
need to do is to enable it within the sshd_config, and may be edit the
/etc/pam.d/sshd-file appropriately.
How pam-af is brought to work, I cannot say. I have no experiences with

it, since I have never used it. All I can say is, it needs to be
inserted

into /etc/pam.d/sshd, probably with a line like this one:
auth required pam_af no_warn
How it can be told whether to call pf, ipf or whatever
packetfilter-cli-tool to use, I cannot say.
Information about pam-af seems a bit thin.
I hope this was helpful in regard of your original question.

(denyhosts looks a bit easier to me, since you neither need a
packetfilter
nor pam, and /etc/hosts.deny and tcpwrappers exists on your system
anyway,

and transparently so.)
- Volkmar

Besides enabling pam_authentication in sshd_conf, you have to give
'pam_af' some rules about what to do: read the 'pam_af_tool' man page.

I use it for about half a year now an it seems to work quite
reliably, according to the list